Several years ago, the idea of hiring security researchers to work at large software companies was something of a novelty. Vendors such as Microsoft, Oracle Corp., IBM and others took a dim view of this, reasoning that there was no way to know whether someone who was prone to breaking their applications could be trusted in a corporate environment. This was a big topic of conversation in the industry, especially among the researchers, and there was a lot of back-and-forth on mailing lists and at a conferences about who was selling out and who was staying true.
Of course, that was all before security research became a mainstream profession, one at which guys like Dave Aitel, HD Moore, David Litchfield and others could make a legitimate living. And now, it seems that there are more researchers inside the belly of the beast than outside. Microsoft has been especially active in hiring researchers, and they’ve just struck again with the news that Matt Miller is joining the Microsoft Security Science team. Miller, also known as Skape, has been doing serious research on Windows exploitation for years and is a major contributor to Moore’s Metasploit Project, as well. Miller is also the author of WehnTrust, a host IPS.
Michael Howard, Microsoft’s resident security development lifecycle chief, announced Miller’s hiring in a blog post: “It’s wonderful to see us hiring more talent like Matt.”And I think he’s right on. I never understood the argument that hackers/researchers needed to stay independent (read: unemployed) in order to do good work. What better place to get a chance to attack the guts of Windows than Redmond? If you look around right now, some of the most innovative research is being done by researchers with corporate backing: Mark Dowd and Alex Sotirov’s Windows memory protection attacks, Billy Hoffman’s AJAX ninjitsu, Billy Rios and Nitesh Dhanjani’s phish poisoning, and Jose Nazario’s continued mastery of the botnet scene.
The idea is to hire the smartest people and let them tackle the hardest problems, right? With Miller’s hiring, you can put one more in the Redmond column.